Canadian Privacy Decisions

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding the Department of National Defence’s (DND) disclosure of deceased Canadian Forces members’ medical records to Military Police investigators for suicide investigations. The OPC found that while DND’s Directorate of Access to Information and Privacy (DAIP) generally acted appropriately in assessing the necessity of the requested information, its record-keeping practices were insufficient, failing to retain all requested disclosure forms as required by the Privacy Act. DND was recommended to improve its policies and procedures to ensure full retention of request forms, verify the statutory authority for investigations, and maintain more comprehensive disclosure records.

• Adequacy of DND's assessment of necessity for disclosing medical records under paragraph 8(2)(e) of the Privacy Act for suicide investigations.
• Sufficiency of DND's record-keeping practices concerning requests and disclosures under paragraph 8(2)(e).
• DND's interpretation of its obligations regarding lawful investigations and adherence to its own policies.
• Whether DND's disclosure of records was consistent with the Privacy Act and TBS Directive.

Several complainants alleged that the Correctional Service Canada (CSC) unlawfully collected personal information through the use of a cell-site simulator near the Warkworth Institution. While CSC confirmed collecting six text messages, it denied intercepting conversations and stated the collection was not authorized. The Office of the Privacy Commissioner of Canada (OPC) found that while the collection of metadata was consistent with the Privacy Act given security concerns, the interception and collection of text message content was not authorized and therefore contravened the Act.

• Whether the collection of cell phone metadata and text messages by CSC constituted personal information under the Privacy Act.
• Whether the collection of cell phone metadata was directly related to CSC's operating programs or activities.
• Whether the interception and collection of text message content was authorized under the Privacy Act.

Four complainants alleged that Transport Canada's requirement for owners of unmanned aircraft to display their personal information on the device contravened the Privacy Act. They argued this obligation to publicly display contact information without consent was a violation of disclosure provisions. The Office of the Privacy Commissioner of Canada (OPC) found that while the information collected is personal, the requirement did not constitute a collection by Transport Canada itself, and therefore, the disclosure provisions of the Act did not apply. The OPC concluded the complaints were not well-founded, acknowledging the measure was an interim safety precaution but noted Transport Canada intended to revise the regulations to address privacy concerns.

• Whether the requirement to display personal information on unmanned aircraft constitutes a collection under the Privacy Act.
• Whether the disclosure of personal information on unmanned aircraft contravenes the disclosure provisions of the Privacy Act.
• The balance between aviation safety and public privacy.
• The authority of the Minister of Transport to issue interim orders for aviation safety.

This investigation concerned a complaint alleging that Statistics Canada (StatCan) improperly disclosed confidential census data to Shared Services Canada (SSC) when transferring its IT infrastructure. The complainant also raised concerns about the adequacy of safeguards and supervision of SSC employees handling the data. The OPC found that StatCan did not disclose personal information contrary to the Privacy Act, as it was legally required to transfer its IT infrastructure to SSC. Furthermore, StatCan took reasonable measures to define its relationship with SSC and ensure privacy and security considerations were addressed.

• Whether StatCan improperly disclosed confidential census data to SSC.
• Whether StatCan took reasonable measures to safeguard the census data transferred to SSC's IT infrastructure.
• Whether StatCan adequately supervised SSC employees with access to the data.
• Whether the transfer of data was consistent with the Statistics Act and the Privacy Act.

The complainant alleged that Health Canada collected more personal information than necessary for adjudicating claims under its Non-Insured Health Benefits (NIHB) Program. Specifically, concerns were raised about the detailed patient information required for the approval of drug benefits. Health Canada demonstrated that the information collected through Limited Use forms for drug benefits was directly related to the administration of the NIHB Program and necessary for determining eligibility based on established clinical criteria.

• Was the personal information collected by Health Canada directly related to an operating program or activity of the institution?
• Was the information collected necessary for the adjudication of claims for limited use drug benefits under the NIHB Program?
• Did Health Canada require more personal information than necessary for the adjudication of claims?

This investigation was initiated following a complaint that the RCMP used cell site simulators, also known as "Stingray" devices or "IMSI catchers," without confirming or denying their use. The complainant was concerned these devices could intercept private communications and extract encryption keys. The investigation found that while the RCMP's cell site simulators cannot intercept private communications, there were six instances where they were used without prior judicial authorization or exigent circumstances, which constituted a contravention of the Privacy Act. The RCMP has since implemented a policy requiring prior judicial authorization for all deployments unless exigent circumstances exist.

• Use of cell site simulators (mobile device identifiers) by the RCMP
• Capability of cell site simulators to intercept private communications
• Requirement for judicial authorization for the collection of personal information using cell site simulators
• Handling and retention of data collected from third-party devices

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint regarding the MyDemocracy.ca website, operated by the Privy Council Office (PCO). The complainant alleged that despite promises of anonymity, the website used Facebook Connect tracking, potentially disclosing personal information to Facebook. The OPC found that the website's design led to the automatic disclosure of IP addresses and browser information to Facebook upon visiting the site, even before users chose to share content. While PCO made some changes and no evidence suggested PCO used the data to identify individuals, the OPC concluded that the initial disclosure was not consensual and violated section 8 of the Privacy Act. Consequently, the complaint was found well-founded.

• Disclosure of personal information to third parties (Facebook) without consent.
• Whether IP addresses and browser characteristics constitute 'personal information' under the Privacy Act.
• Adequacy of privacy notices and consent mechanisms for third-party data sharing.
• Failure to conduct a Privacy Impact Assessment (PIA).

The Office of the Privacy Commissioner (OPC) investigated three complaints concerning privacy breaches within the Phoenix pay system. The investigation revealed that Public Services and Procurement Canada (PSPC) had inadequate testing, coding errors, and insufficient controls, leading to multiple breaches of federal public servants' personal information. These breaches exposed names, Personal Record Identifier (PRI) numbers, and salary information, with some vulnerabilities being government-wide and potentially allowing data changes. The OPC found the complaints to be well-founded, citing the system's vulnerabilities and PSPC's initial underreporting of the scope of the breaches.

• Unauthorized access to and disclosure of personal information within the Phoenix pay system.
• Inadequacy of PSPC's testing, coding, and security controls for the Phoenix system.
• Scope and impact of the privacy breaches on federal public servants.
• Timeliness and adequacy of PSPC's notification to affected individuals.

The Office of the Privacy Commissioner of Canada (OPC) investigated a complaint that Health Canada was over-collecting personal information, specifically diagnostic details, for medical transportation and specialist services under its Non-Insured Health Benefits (NIHB) Program. The OPC found that while Health Canada's intention was to confirm policy requirements for travel, the form used inadvertently led to the collection of unnecessary diagnostic information. Health Canada has since removed the problematic field from the form.

• Whether Health Canada collected more personal information than necessary for the administration of the NIHB Program.
• Whether the collection of diagnostic information for medical transportation and specialist services contravened the Privacy Act.
• The adequacy of Health Canada's NIHB Medical Transportation and Specialist Referral Form in preventing over-collection of personal information.

This investigation concerned a complaint that the Royal Canadian Mounted Police (RCMP) inappropriately disclosed the complainant's personal information, including details of a past suicide attempt, to US Customs and Border Protection (CBP) via the Canadian Police Information Centre (CPIC). The complainant alleged this disclosure led to her being deemed inadmissible to the US. The Office of the Privacy Commissioner of Canada (OPC) found the disclosure was not authorized under the Privacy Act, as it did not meet the criteria for law enforcement or criminal justice purposes as defined by the Memorandum of Cooperation (MOC) between the RCMP and the FBI. Although the RCMP implemented some changes to CPIC policies, the OPC concluded they remained unclear and did not sufficiently protect against unauthorized disclosures.

• Whether the disclosure of personal information related to a suicide attempt to US border officials via CPIC was authorized under subsection 8(2)(f) of the Privacy Act.
• Whether the disclosure was authorized under subsection 8(2)(a) of the Privacy Act as a use consistent with the original purpose of information collection.
• Whether CPIC policies adequately protected against unauthorized disclosure of sensitive personal information.
• The interpretation of 'law enforcement' and 'criminal justice purposes' in the context of border security assessments.

The Office of the Privacy Commissioner (OPC) investigated two complaints against the Parole Board of Canada (PBC) concerning access to record suspension information. The OPC found that the PBC improperly refused to process access requests submitted by a third-party screening company and also improperly required requesters to provide excessive identification information. The OPC concluded that the PBC's reliance on paragraph 22(1)(b) of the Privacy Act was not justified in most cases, and its identification requirements went beyond what was necessary.

• Can a requester ask to confirm that no personal information exists?
• Is paragraph 22(1)(b) of the Privacy Act properly applied to refuse access requests for record suspension information?
• Are the PBC's identification requirements for processing requests excessive?

The OPC investigated two complaints regarding the Canada Border Services Agency's (CBSA) participation in the TV show "Border Security: Canada's Front Line". The investigation focused on a complaint filed by the British Columbia Civil Liberties Association on behalf of an individual filmed during a CBSA enforcement activity. The OPC found that the CBSA's participation and disclosure of personal information to the production company, Force Four, violated sections 4 and 8 of the Privacy Act due to issues with informed consent and improper disclosure of information. The OPC recommended the CBSA cease its participation in the TV program, which the CBSA accepted.

• Validity of consent obtained for filming and disclosure of personal information
• CBSA's ability to contract out of Privacy Act obligations
• Adequacy of facial blurring to protect identity
• Disclosure of information about an intended subject prior to filming

A complainant expressed concerns that personal taxpayer information held by Mobilshred Inc. under contract with the Canada Revenue Agency (CRA) could be accessed by US authorities under the USA PATRIOT Act, due to Mobilshred's perceived US affiliation. The OPC investigated whether the CRA had adequately safeguarded this information. The investigation determined that Mobilshred Inc. is a Canadian company, and the contract explicitly requires all stored paper records to remain physically within Canada. Therefore, the CRA took adequate measures to prevent unauthorized disclosure.

• Potential for US authorities to access Canadian taxpayer information stored by a contractor under the USA PATRIOT Act.
• Whether the Canada Revenue Agency adequately safeguarded personal information entrusted to a third-party contractor.
• The corporate structure and operational location of Mobilshred Inc. and its parent company, Recall.

Canada Post's collection of electronic signatures for mail tracking was investigated following a complaint. The OPC found that Canada Post's collection, use, and disclosure of signatures for tracking purposes complied with the Privacy Act, as it was consistent with the original purpose of collection and a permitted disclosure under paragraph 8(2)(a) of the Act. However, the OPC identified shortcomings in the security and privacy controls of Canada Post's online tracking website and made recommendations for improvement, which Canada Post accepted.

• Adequacy of notice provided to individuals regarding the collection, use, and disclosure of their electronic signatures.
• Compliance with the Privacy Act regarding the collection, use, and disclosure of personal information.
• Adequacy of security and privacy controls for digitized signatures displayed on Canada Post's online tracking website.

The complainant alleged that the RCMP inappropriately used employees' personal information during a training course. The RCMP used real personal information from 91 employees for a data entry exercise without their consent and without advising participants of the data's sensitive nature. The RCMP acknowledged the contravention of section 7 of the Privacy Act and notified the affected employees.

• Use of personal information for training purposes without consent
• Adequacy of notification to affected individuals
• Consistency of use with the original purpose of collection